Skip to content

Security and compliance

The Mambu platform lives up to the highest financial security standards. It’s also compliant with the most important industry requirements, as verified and assured by an external certification body. Here’s how we do it.

External pentests

We perform continuous internal security tests. These tests are further backed by external penetration tests from security researchers – multiple times per year. Penetration tests cover network security aspects as well as common web application vulnerabilities as referenced in the OWASP Top 10.

Openness & transparency

Our APIs and Data Dictionary are publicly available. Furthermore customers can automate backup retrieval at any time. If you’re interested in detailed security assurance and compliance information, please contact us.

Data security

We apply principles like security-in-depth, need-to-know and least-privilege to reduce the chance of data leakage or loss by internal or external threats using different preventive, detective and mitigative controls.

Incident response

In the case of a (security) incident, we’re prepared with regularly-tested incident response plans and 24/7 on-call staff to react immediately and appropriately.

Infrastructure & regulation

  • Certified practices

    Certified practices

    Mambu maintains an Information Security Management System (ISMS) according to ISO/IEC 27001 to proactively manage information security risks and review the effectiveness of our technical and organisational controls via internal and external audits.

    Mambu maintains Independent Service Auditor Reports SOC 1 and SOC 2 to provide assurance on the design, implementation, and operating effectiveness of the internal controls that are relevant to our customers’ financial statements (SOC 1) and internal controls that meet the AICPA Trust Services Security, Availability, and Confidentiality Principles and Criteria (SOC 2).

    Audit reports can be obtained through Customer Portal or upon request under a non-disclosure agreement.

    Download ISO certificate
  • AWS partner

    AWS partner

    We are member of the AWS Partner Network in the Financial Services Competency program. Mambu was audited in the AWS Well Architected Program to ensure we deploy security best practices: encryption in transit and at rest, identity and access management, and many others available on the AWS platform.

  • Secure infrastructure

    Secure infrastructure

    Customer data is processed in AWS' state-of-the-art data centres, assured by a vast amount of related certifications, providing confidence to run regulated workloads. Learn more about AWS Certifications.

  • Approved by regulators

    Approved by regulators

    Financial regulators across many regions approved outsourcing of regulated financial workloads to Mambu.

Security features

  • We respect data privacy

    We respect data privacy

    Our customers are GDPR compliant by providing relevant features to comply with data subject rights. We ensure personal data doesn't leave the customer's jurisdiction or, if it does, we provide assurances of adequate data protection outside of customer jurisdiction.

  • Complete audit rights

    Complete audit rights

    We always ensure our customers and regulators can execute their supervisory function and have effective audit rights to Mambu’s business premises, processes and supply chain.

  • Isolation & control

    Isolation & control

    Our customers can choose to have a dedicated Mambu deployment that is not shared with other Mambu customers, giving them further control over the environment and increase the isolation required by financial regulators.

  • SLAs and business continuity

    SLAs and business continuity

    We offer SLAs for uptime and resolution times on customer inquiries. Our disaster recovery procedures and business continuity plans are regularly tested. And our SaaS solution is cloud-agnostic and has no vendor lock-in with any specific cloud vendor.

  • Open banking platform

    Open banking platform

    The Mambu platform provides APIs to implement the PSD2 regulation, allowing financial institutions to give third-party vendors access to end-customer data.

  • Built-in security

    Built-in security

    Security is embedded in all stages of the software development lifecycle (SDLC) at Mambu – from requirements engineering, programming and QA to deployment, monitoring, alerting and incident management.

Reporting security issues

To report any security issues, please contact our security team with an encrypted email using our Public GPG key. Our security team will respond as quickly as possible. We kindly ask you to not publicly disclose any security issue until it has been addressed by Mambu.

If you want to know more about how we protect your data or your customers’ data, drop us a line.

Reach out today